Hi Ondra,

It's not, but you need to use insecure connection then (you need to have following line in /etc/ovirt-engine/aaa/domain.properties):

 pool.default.ssl.insecure = true

I ended up generating a cert on one of the AD machines, copying it to the host, and then specified it in the setup process via ovirt-engine-extension-aaa-ldap-setup.
It seems to create a .jks file. It still gave me the same 'peer not authenticated' so I checked the krb5.keytab and saw that there was no SPN for http, so I rejoined the domain and specified http as a service name via adcli, and then things worked.
 

So double check that, and if it still won't work, the logs from ovirt-engine-extensions-tool would help, you can generate them as follows:

 $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa ....


Do I need to set up Apache separately to use LDAP auth? The service
principals exist in the krb5.keytab, but I don't if that is only if you
are using SSO.

 Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
don't need anything related to kerberos.

I think I was under the impression that you needed to join the domain in order to auth via AD. However, I've now seen one HOWTO that says that you just need the cert from AD to be able to auth securely though I'm not entirely clear whether that works for Apache. Is that correct - Kerberos, binding etc is not needed for the oVirt web interface to auth securely?

Thanks,

Cam
 


Thanks,

Cam

_______________________________________________

        Users mailing list
         Users@ovirt.org <mailto:Users@ovirt.org>
        http://lists.ovirt.org/mailman/listinfo/users
        <http://lists.ovirt.org/mailman/listinfo/users>